How Social Networking Can Be Used To Identify Distributors

You often hear reports about the privacy implications of Social Networking sites such as Facebook, Bebo and MySpace,
but these sites could potentially be used to bring charges against you for the distribution of Copyrighted material.



I've not heard of any such cases, but it is theoretically possible, consider the following example.

  • I obtain a copy of Windows 7 and either crack it, or find a download that becomes pre-activated.
  • I'm quite impressed with it, and pass copies to any of my friends who want one.

So how exactly does Facebook help lead to my downfall? It's scarily simple:

Each copy of Windows has a unique product ID, unless of course you happen to be sharing copies of the same disc! So if my product ID is 1234, the product ID of everyone I've given a copy will be 1234. This makes it easy for Microsoft to spot that some sharing has been going on, but the clever bit starts when trying to ascertain who was distributing the copies.

Lets look at the friends I've shared my copy of Windows with.

I've given copies to;

  • Jon
  • Alan
  • Ray
  • James
  • Roger
  • Alistair
  • Brian
  • Sandra
  • Alex

Now the odds are that not all my friends know my other friends. For convenience lets base our social circles on the first letter of their name, so;

  • Jon knows James but doesn't know any of the others
  • Alan knows Alistair and Alex but doesn't know any of the others
  • Ray knows Roger but doesn't know any of the others
  • Brian doesn't know any of the others
  • Sandra doesn't know any of the others

So, all these friends are using a copy of Windows 7 with the product key 1234. During Windows Update or some other phone home script, Microsoft notices this and decides to investigate. They start by looking each of us up on Facebook (assuming we all use it). This could be done through spyware delivered via Windows Update, or by a little thorough investigation.

Once they have found us all, they start examining our lists of friends, and the logic is quite simple;

  • Jon could have passed the Copy to James and me
  • Alan could have passed the Copy to Alistair, Alex and me
  • Ray could have passed the copy to Roger and me
  • Brian could have passed the copy to me
  • Alex could have passed the copy to me
  • Only I could have passed the copy to each of these users.

Now Brian could have passed me a copy, and I could have passed it onto all the others, or even just one person within each group. In this scenario, I'm not the source, but I am the major distributor.

Even if two groups interlink slightly (for example Jon knows Alan), if one group is only linked to the other group(s) through their friendship with you, it's likely that you are the source. In fact, It's almost guaranteed that you are either the source or a distributor.

It's more realistic to believe that the groups would overlap slightly, and also that not everyone you pass a copy to will use Facebook/Bebo/Myspace. Unfortunately these do not detract from the possibility of being traced, it only takes a small percentage of your friends to be using the social networking site and it becomes possible to trace these things back to you.

Many people still add people they don't know to their 'friends' lists, this presents two problems. Firstly, even if your profile and 'friends' list is set to friends only, if you add the investigator as a friend (they're not likely to tell you who they really are!) they'll be able to access all this information. Secondly, if one of your new 'friends' has also downloaded that software, you may find yourself held responsible for their copy as well, despite never actually having met them!

It would, of course, be difficult to prove that you distributed the copy, and that your friends did not just follow your lead and download the software from the same source. However, if the latter is true then it's probably likely that you passed the URL to them, and enabled them to do so. With copyright law changing rapidly, it's hard to know what you might be opening yourself up to!

I'm not suggesting that Social networking sites should be avoided completely, simply highlighting how your membership could be used against you. Whether you share software or not, you should examine the privacy settings on your account. Do you really need to let the whole world view your profile, and who you are friends with? Probably not, if someone wants to find you, they'll manage!



When I originally wrote this article in March 2010, it seemed unlikely that Copyright holders would go to such lengths to identify distributors of copyrighted material. It would, after all, require either breaking the law or a lot of investigation. The former would be illegal whilst the latter would fail any cost/benefit analysis. However, the landscape has changed. A copyright protection firm in Bollywood has shown a willingness to break the law by launching Distributed Denial of Service attacks against those it believes to be violating it's clients copyright.

My original intention for this article was nothing more than an exercise of logic - could it be done?. It's clear that Copyright holders now believe that they are above the law, and can take any steps they believe necessary to protect their copyright. This should surprise no-one given the history of the war against 'piracy'. In 2005, Sony BMG attempted to surreptitiously install a rootkit on it's customers PC's.

Although against the law (and Sony BMG have paid a price), it's in a different league to deliberately launching a Distributed Denial of Service against a website for hosting nothing more than a link to your material (which after all, is what the Pirate Bay does). No-one yet seems to have answered an important question about Aiplex's DDoS;

How did they launch it? Were they using zombies? Have they a client base willing to install a client similar to the Low Orbit Ion Cannon?

What I'm getting at here, is just how far are they willing to go? Launching a DDoS is illegal, but if they were utilising a Botnet comprised of Zombies (i.e. without the owner's permission) it only worsens their actions. Having had a good dig into Aiplex, I cannot see how they could have launched DDoS's any other way. So did they write their own malware, or purchase/rent a botnet from a criminal gang?

Clearly, the big media companies believe they have a right to break the law, but how far down the path are we? If they have reached the point of writing their own malware, we should be calling for criminal sanctions.

When TechRadar first reported on Aiplex's confession, they wondered how many other outfits were doing the same at the behest of the media giants. That question remains unanswered. All we've seen is more evidence of the outright naivety and incompetence of those involved in chasing copyright violations.